Cybersecurity
Image Source: Richard Patterson

Member Article

Attacks on Microsoft Exchange connected to Hades ransomware gang

A China-linked hacking group blamed for attacks on Microsoft Exchange servers has been connected to the Hades ransomware gang.

During an investigation into Hades, Awake L0214abs identified a “potential connection” with Hafnium.

Its incident response team said its “engagements with Hades and other threat actors has us increasingly convinced that ransom is not the only objective for at least some of these gangs”.

“We uncovered evidence tactics, techniques and procedures that can be attributed to multiple sophisticated adversaries including Hafnium group, the threat actor Microsoft says is behind the recent Exchange Server hack,” Awake Labs wrote.

Attivo Networks has also been researching the group and released details of five Indicators of Compromise’“ to Hafnium.

The recent Hafnium attacks drew attention to several Microsoft Exchange Server vulnerabilities, but other groups are taking advantage of these to launch ransomware attacks.

Attackers are targeting enterprises exploiting the four recent Microsoft Exchange Server vulnerabilities (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) to deploy the DearCry ransomware. Post exploitation, attackers are moving inside the network by stealing privileged credentials from Active Directory to increase the number of systems where they deploy ransomware.

Once installed, the DearCry ransomware uses AES-256 and RSA-2048 to encrypt files. The DearCry ransomware has been targeting and encrypting files with the following file extensions:

.TIF .TIFF .PDF .XLS .XLSX .XLTM .PS .PPS .PPT .PPTX .DOC .DOCX .LOG .MSG .RTF .TEX .TXT .CAD .WPS .EML .INI .CSS .HTM .HTML .XHTML .JS .JSP .PHP .KEYCHAIN .PEM .SQL .APK .APP .BAT .CGI .ASPX .CER .CFM .C .CPP .GO .CONFIG .PL .PY .DWG .XML .JPG .BMP .PNG .EXE .DLL .CAD .AVI .H.CSV .DAT .ISO .PST .PGD .7Z .RAR .ZIP .ZIPX .TAR .PDB .BIN .DB .MDB .MDF .BAK .LOG .EDB .STM .DBF .ORA .GPG .EDB .MFS

Below are five examples of Indicators of Compromise captured by Attivo solutions, related to documented adversary activity specific to the group:

The attacker used MITRE ATT&CK Techniques T1003.001, Dumping lsass.exe Process Memory to steal privileged Credentials from Exchange Server using procdump64.exe.

Although researchers did not document this specific technique, adversaries widely use MITRE ATT&CK Techniques T1003.001, Dumping lsass.exe Process Memory to Get Credentials using Mimikatz.exe.

The attackers created Local Admin accounts for persistence as well as new Local Admins, Privileged Domain accounts, or Delegated Admin accounts (MITRE ATT&CK Techniques T1136).

The group used PSExec against a Remote System (MITRE ATT&CK Techniques T1021).

Attackers also added Exchange PowerShell snap-ins to export Mailbox Data (MITRE ATT&CK Techniques T1059).

Considering the criticality of the vulnerabilities, Microsoft released out-of-band patches on March 2, 2021, to fix the reported vulnerabilities.

Unfortunately, many organizations have not patched immediately, and attackers compromised them before the patch was available, resulting in the group using the web shell backdoor to move further inside the network. Volexity confirmed the attackers combined the Exchange exploitation with another vulnerability, CVE-2021-27065, to perform remote code execution (RCE) and conduct lateral movement.

After the initial compromise, Hafnium operators accessed email accounts and deployed web shells on the compromised servers, which they then used to steal data and expand the attack. Since enterprises deploy Outlook Web Access (OWA) on public networks, it enabled the group to compromise many organizations across a large set of industries.

In a research note, Gorang Joshi, Anil Gupta and Saravanan Mohan wrote: “This incident is another example of how sophisticated attackers can combine multiple attack techniques to exploit and move laterally inside the enterprise. Prevention technologies and patching are critical, but they are not enough, as the attackers have demonstrated.

“Having robust products and processes to detect lateral movement early before the adversary gains a foothold deep inside the enterprise’s network and systems is critical to protect its data and ‘crown jewels’.

“Fortunately, there are mature tools available to detect lateral movement accurately without incurring significant investment.”

This was posted in Bdaily's Members' News section by Gabby Dunne .

Enjoy the read? Get Bdaily delivered.

Sign up to receive our popular morning London email for free.

* Occasional offers & updates from selected Bdaily partners

Our Partners

Top Ten Most Read